The netfilter coreteam presents: iptables version 1.4.10 the iptables release for the 2.6.39 kernels. Due to some mistakes on my side we didn't have a release for longer than expected, so this contains a rather large number of changes. Changes include: - various bugfixes, cleanups and documentation updates - a new "guided option parser" from Jan, replacing a lot of the open-coded option parsing by a data driven parser - support for the current SET target as contained in 2.6.39 - support for the new devgroup match - support for the new AUDIT target - support for a new NFQUEUE bypass option, allowing to bypass the queue if no userspace listener is present - a new iptables option "-C" to check for existance of a rules - a new xtables-multi binary which supports both IPv4 and IPv6 See the attached changelogs for the full list of changes. Version 1.4.11 can be obtained from: http://www.netfilter.org/projects/iptables/downloads.html ftp://ftp.netfilter.org/pub/iptables/ git://git.netfilter.org/iptables.git On behalf of the Netfilter Core Team. Happy firewalling!
Changli Gao (1): iptables: fix the dead loop when meeting unknown options Florian Westphal (3): libxt_conntrack: fix --ctdir save/dump output format libxt_time: fix random --datestart skips extensions: libxt_NFQUEUE: add v2 revision with --queue-bypass option JP Abgrall (1): libxt_quota: make sure uint64 is not truncated Jan Engelhardt (218): libxtables: change option precedence order to be intuitive libxt_TOS: avoid an undesired overflowing computation iptables: fix longopt reecognition and workaround getopt(3) behavior Revert "Revert "libxtables: change option precedence order to be intuitive"" Merge branch 'master' of git://dev.medozas.de/iptables into m2 iptables: reset options at the start of each command iptables: do not emit orig_opts twice include: update files with headers from Linux 2.6.37-rc1 TPROXY: add support for revision 1 socket: add support for revision 1 build: fix globbing of extensions in other locales libxt_owner: output numeric IDs when save is requested Merge commit 'v1.4.10' build: stop on error in subcommand src: const annotations xt_comment: remove redundant cast src: use C99/POSIX types iptables: abort on empty interface specification xtables: reorder num_old substraction for clarity ip[6]tables: only call match's parse function when option char is in range ip[6]tables: only call target's parse function when option char is in range extensions: remove no longer necessary default: cases libxt_sctp: fix a typo libipt_CLUSTERIP: const annotations libxtables: do some option structure checking libxt_quota: print negation when it has been selected libxt_connlimit: reword help text to say prefix length libxt_connlimit: add a --connlimit-upto option libxt_connlimit: support for dstaddr-supporting revision 1 libxt_connlimit: remove duplicate member that caused size change libxt_quota: clarifications on matching iptables: improve error reporting with extension loading troubles libxt_u32: enclose argument in quotes xtables: set custom opts to NULL on free iptables: warn when parameter limit is exceeded iptables: remove bogus address-of iptables: remove more redundant casts iptables: do not print trailing whitespaces src: collect do_command variables in a struct src: move large default: block from do_command6 into its own function src: share iptables_command_state across the two programs src: deduplicate find_proto function src: move OPT_FRAGMENT to the end so the list can be shared src: put shared option flags into xshared src: deduplicate and simplify implicit protocol extension loading src: unclutter command_default function src: move jump option handling from do_command6 into its own function src: move match option handling from do_command6 into its own functions iptables: fix error message for unknown options iptables: fix segfault target option parsing ip6tables: spacing fixes for -o argument libxt_devgroup: option whitespace update following v1.4.10-49-g7386635 extensions: fix indent of vtable doc: fix wrong sentence about negation in xt_limit doc: fix misspelling of "field" extensions: remove redundant init functions Remove unused CVS expanded keywords libip6t_dst: remove unimplemented --dst-not-strict libip6t_hbh: remove unimplemented --hbh-not-strict extensions: add missing checks for specific flags libipt_ECN: set proper option flags doc: mention other possible nf_loggers for TRACE doc: fix odd partial sentence in libipt_TTL libxt_quota: require --quota to be specified doc: rateest options can be optional libxtables: fix memory scribble beyond end of array iptables: fix an inversion doc: add VERSION section to manpages extensions: add missing checks for specific flags (2) libxtables: guided option parser libxt_CHECKSUM: use guided option parser libxt_socket: use guided option parser libxtables: provide better final_check libxt_CONNSECMARK: use guided option parser libxtables: XTTYPE_UINT32 support libxt_cpu: use guided option parser libxtables: min-max option support libxt_cluster: use guided option parser libxtables: XTTYPE_UINT8 support libip[6]t_HL: use guided option parser libip[6]t_hl: use guided option parser libxtables: XTTYPE_UINT32RC support libip[6]t_ah: use guided option parser libip6t_frag: use guided option parser libxt_esp: use guided option parser libxtables: XTTYPE_STRING support libip[6]t_REJECT: use guided option parser libip6t_dst: use guided option parser libip6t_hbh: use guided option parser libip[6]t_icmp: use guided option parser libip6t_ipv6header: use guided option parser libipt_ECN: use guided option parser libipt_addrtype: use guided option parser libxt_AUDIT: use guided option parser libxt_CLASSIFY: use guided option parser libxt_DSCP: use guided option parser libxt_LED: use guided option parser libxt_SECMARK: use guided option parser libxt_TCPOPTSTRIP: use guided option parser libxt_comment: use guided option parser libxt_helper: use guided option parser libxt_physdev: use guided option parser libxt_pkttype: use guided option parser libxt_state: use guided option parser libxt_time: use guided option parser libxt_u32: use guided option parser doc: avoid duplicate entries in manpage libxtables: XTTYPE_MARKMASK32 support libxt_MARK: use guided option parser libxt_CONNMARK: use guided option parser libxtables: XTTYPE_UINT64 support libxt_quota: use guided option parser libxtables: linked-list name<->id map libxt_devgroup: use guided option parser libipt_realm: use guided option parser libxtables: XTTYPE_UINT16RC support libxt_length: use guided option parser libxt_tcpmss: use guided option parser libxtables: XTTYPE_UINT8RC support libxtables: XTTYPE_UINT64RC support libxt_connbytes: use guided option parser libxtables: XTTYPE_UINT16 support libxt_CT: use guided option parser libxt_NFQUEUE: use guided option parser libxt_TCPMSS: use guided option parser libxtables: pass struct xt_entry_{match,target} to x6 parser libxt_string: use guided option parser libxtables: XTTYPE_SYSLOGLEVEL support libip[6]t_LOG: use guided option parser libxtables: XTTYPE_ONEHOST support libxtables: XTTYPE_PORT support libxt_TPROXY: use guided option parser libipt_ULOG: use guided option parser build: bump libxtables ABI version libxt_TEE: use guided option parser xtoptions: respect return value in xtables_getportbyname libxt_TOS: use guided option parser libxt_tos: use guided option parser extensions: remove unused TOS code libxtables: XTTYPE_PORTRC support libxt_udp: use guided option parser libxt_dccp: use guided option parser libxt_tos: add inversion support back again libxtables: fix assignment in wrong offset (XTTYPE_UINT*RC) libxt_u32: add missing call to xtables_option_parse extensions: remove bogus use of XT_GETOPT_TABLEEND libxt_owner: remove ifdef IPT_COMM_OWNER libxtables: output name of extension on rev detect failure extensions: const annotations libxt_statistic: streamline and document possible placement of negation libxt_statistic: increase precision on create and dump libxtables: XTTYPE_DOUBLE support libxt_statistic: use guided option parser libxt_IDLETIMER: use guided option parser libxt_NFLOG: use guided option parser libxtables: support for XTTYPE_PLENMASK libxt_connlimit: use guided option parser libxt_recent: use guided option parser libxtables: do not overlay addr and mask parts, and cleanup libxtables: flag invalid uses of XTOPT_PUT libxtables: XTTYPE_PLEN support libxt_hashlimit: use guided option parser libxtables: XTTYPE_HOSTMASK support libxt_policy: use guided option parser libxt_owner: use guided option parser libxt_osf: use guided option parser libxt_multiport: use guided option parser libipt_NETMAP: use guided option parser libxt_limit: use guided option parser libxtables: XTTYPE_PROTOCOL support libxt_ipvs: use guided option parser doc: S/DNAT allows to omit IP addresses libxt_conntrack: use guided option parser libip6t_mh: use guided option parser libip6t_rt: use guided option parser libxtables: XTTYPE_ETHERMAC support libxt_mac: use guided option parser libipt_CLUSTERIP: use guided option parser libxt_iprange: use guided option parser libipt_DNAT: use guided option parser libipt_SNAT: use guided option parser libipt_MASQUERADE: use guided option parser libipt_REDIRECT: use guided option parser libipt_SAME: use guided option parser src: replace old IP*T_ALIGN macros src: combine default_command functions libxt_policy: option table fixes, improved error tracking libxtables: avoid running into .also checks when option not used libxt_policy: use XTTYPE_PROTOCOL type libxtables: collapse double protocol parsing libipt_[SD]NAT: flag up module name on error libipt_[SD]NAT: avoid false error about multiple destinations specified libxt_conntrack: correct printed module name libxt_conntrack: fix assignment to wrong member libxt_conntrack: resolve erroneous rev-2 port range message libip6t_rt: rt-0-not-strict should take no arg libxtables: retract _NE types and use a flag instead libxt_quota: readd missing XTOPT_PUT request libxtables: check for negative numbers in xtables_strtou* libxt_rateest: streamline case display of units doc: add some coded option examples to libxt_hashlimit doc: make usage of libxt_rateest more obvious doc: clarify that -p all is a special keyword only doc: use .IP list for TCPMSS doc: remove redundant .IP calls in libxt_time libxt_ipvs: restore network-byte order libxt_u32: --u32 option is required libip6t_rt: restore --rt-type storing libxtables: more detailed error message on multi-int parsing libxtables: use uintmax for xtables_strtoul libxtables: make multiint parser have greater range libxtables: unclutter xtopt_parse_mint libxtables: have xtopt_parse_mint interpret partially-spec'd ranges libxt_NFQUEUE: avoid double attempt at parsing libxt_NFQUEUE: add mutual exclusion between qnum and qbal libxt_time: always ignore libc timezone libxt_time: --utc and --localtz are mutually exclusive libxt_time: deprecate --localtz option, document kernel TZ caveats Jozsef Kadlecsik (3): Fix listing/saving the new revision of the SET target Fix set match/target direction parser SET target revision 2 added Li Yewang (1): xtables: fix typo in error message of xtables_register_match() Lutz Jaenicke (2): libipt_REDIRECT: "--to-ports" is not mandatory libxt_devgroup: actually set XT_DEVGROUP_OPT_???GROUP flags Maciej Zenczykowski (20): man pages: allow underscores in match and target names mark newly opened fds as FD_CLOEXEC (close on exec) xtables_ip6addr_to_numeric: fix typo in comment xtables: delay (statically built) match/target initialization v4: rename init_extensions() to init_extensions4() v6: rename init_extensions() to init_extensions6() xtables.h: init_extensions() no longer exists v4: rename for_each_chain() to for_each_chain4() v6: rename for_each_chain() to for_each_chain6() v4: rename flush_entries() to flush_entries4() v6: rename flush_entries() to flush_entries6() v4: rename delete_chain() to delete_chain4() v6: rename delete_chain() to delete_chain6() v4: rename print_rule() to print_rule4() v6: rename print_rule() to print_rule6() v4: rename do_command() to do_command4() v6: rename do_command() to do_command6() move 'int line' definition from ip6?tables.c into xtables.c convert ip6?tables-multi to actually use their own header files Don't load ip6?_tables module when already loaded Maciej Żenczykowski (3): Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore}. Move common parts of libext{4,6}.a into libext.a combine ip6?tables-multi into xtables-multi Mark Montague (1): iptables: documentation for iptables and ip6tables "security" tables Max Kellerman (1): xtables: use strspn() to check if string needs to be quoted Pablo Neira Ayuso (1): libxt_cluster: fix inversion in the cluster match Patrick McHardy (16): Revert "libxtables: change option precedence order to be intuitive" Merge branch 'master' of git://dev.medozas.de/iptables extensions: libxt_conntrack: add support for specifying port ranges extensions: add extension for devgroup match Merge branch 'master' of git://dev.medozas.de/iptables Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables Merge branch 'opts' of git://dev.medozas.de/iptables Merge branch 'opts' of git://dev.medozas.de/iptables Merge branch 'floating/opts' of git://dev.medozas.de/iptables Merge branch 'opts' of git://dev.medozas.de/iptables Merge branch 'opts' of git://dev.medozas.de/iptables Merge branch 'master' of git://dev.medozas.de/iptables Merge branch 'opts' of git://dev.medozas.de/iptables Merge branch 'floating/opts' of git://dev.medozas.de/iptables Merge branch 'master' of git://dev.medozas.de/iptables Bump version to 1.4.11 Rob Leslie (1): iptables-restore: resolve confusing policy error message Stefan Tomanek (2): ip(6)tables-multi: unify subcommand handling iptables: add -C to check for existing rules Stephen Beahm (1): libipt_REDIRECT: avoid dereference of uninitialized pointer Thomas Graf (2): libxt_AUDIT: add AUDIT target iptables: add manual page section for AUDIT target Wes Campaigne (4): libxtables: avoid confusing use of ai_protocol=IPPROTO_IPV6 xtables: fix excessive memory allocation in host_to_ipaddr xtables: fix the broken detection/removal of redundant addresses xtables: use all IPv6 addresses resolved from a hostname